Fedora has issued an advisory on August 20: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PA4WRBGUOIUFQNNFWZ5NRQ6K7S63JU6G/ I don't know if older versions are affected.
CC: (none) => mrambo, smelror
Assigning to all packagers collectively, since there is no registered maintainer for this package.
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
Note that apparently dolphin-emu is supposed to be rebuilt against the update for this, with a patch: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D6U2272NETOXVX3RSEZBUGSAZANM2OSJ/ https://src.fedoraproject.org/cgit/rpms/dolphin-emu.git/commit/?id=a1b91fdf94981e12c8889a02cba0ec2267d0f303
CC: (none) => rverschelde
(In reply to David Walser from comment #2) > Note that apparently dolphin-emu is supposed to be rebuilt against the > update for this, with a patch: > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/D6U2272NETOXVX3RSEZBUGSAZANM2OSJ/ > https://src.fedoraproject.org/cgit/rpms/dolphin-emu.git/commit/ > ?id=a1b91fdf94981e12c8889a02cba0ec2267d0f303 I'll have to look deeper into it but it's not clear to me why this patch would be needed for security reasons. As in, if all downstream users need to be patched to change the way they *include* the upstream library, then the upstream security fixes are likely not good enough (can't tell users "it's secure unless you forget this define").
Patched package uploaded for cauldron and Mageia 6. Advisory: ======================== Updated soundtouch package fixes security vulnerabilities: * Reachable assertion in FIRFilter.cpp causing denial of service (CVE-2018-14045). * Reachable assertion in RateTransposer::setChannels() causing denial of service (CVE-2018-14044). * Heap-based buffer overflow in SoundStretch/WavFile.cpp:WavInFile::readHeaderBlock() potentially leading to code execution (CVE-2018-1000223). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14044 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14045 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000223 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PA4WRBGUOIUFQNNFWZ5NRQ6K7S63JU6G/ ======================== Updated packages in core/updates_testing: ======================== lib64soundtouch1-1.9.2-2.2.mga6 lib64soundtouch-devel-1.9.2-2.2.mga6 soundtouch-1.9.2-2.2.mga6 from soundtouch-1.9.2-2.2.mga6.src.rpm Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=23323#c4
Keywords: (none) => has_procedureVersion: Cauldron => 6Assignee: pkg-bugs => qa-bugs
Mageia 6, x86_64 CVE-2018-14044 https://github.com/TeamSeri0us/pocs/blob/master/soundtouch/1-Poc $ soundstretch 1-Poc out.wav SoundStretch v1.9.2 - Written by Olli Parviainen 2001 - 2015 Segmentation fault (core dumped) CVE-2018-14045 https://github.com/TeamSeri0us/pocs/blob/master/soundtouch/2-Poc $ soundstretch 2-Poc out.wav soundstretch: RateTransposer.cpp:180: void soundtouch::RateTransposer::setChannels(int): Assertion `nChannels > 0' failed. Aborted (core dumped) CVE-2018-1000223 https://github.com/TeamSeri0us/pocs/blob/master/soundtouch/3-Poc Assuming that 3-Poc is the same as soundstretch000_id_000001,sig_06,src_000000,op_flip1,pos_22 Although https://gitlab.com/soundtouch/soundtouch/issues/6 refers to 1-Poc. $ soundstretch 3-Poc out.wav Uses 32bit floating point sample type in processing. Processing the file with the following changes: tempo change = +0 % pitch change = +0 semitones rate change = +0 % Working...soundstretch: FIRFilter.cpp:188: virtual uint soundtouch::FIRFilter::evaluateFilterMulti(soundtouch::SAMPLETYPE*, const SAMPLETYPE*, uint, uint): Assertion `numChannels < 16' failed. Aborted (core dumped) Updated the packages and ran the reproducer tests again. CVE-2018-14044 $ soundstretch 1-Poc out.wav Input file is corrupt or not a WAV file CVE-2018-14045 $ soundstretch 2-Poc out.wav Error: Illegal number of channels CVE-2018-1000223 $ soundstretch 3-Poc out.wav Error: Illegal number of channels That looks like a satisfactory outcome. $ soundstretch -license SoundStretch v1.9.2 - Written by Olli Parviainen 2001 - 2015 [...] Ran some simple checks on local music files. $ soundstretch Corries.wav out.1 -tempo=-50 -pitch=+8 Processing the file with the following changes: tempo change = -50 % pitch change = +8 semitones rate change = +0 % Working...Done! $ soundstretch Corries.wav out.2 -tempo=-10 -quick tempo change = -10 % pitch change = +0 semitones rate change = +0 % $ soundstretch LammasTide.wav out.3 -rate=+100 -pitch=+5 tempo change = +0 % pitch change = +5 semitones rate change = +100 % Used aplay to play the output files - results as expected. Good for 64-bits.
Whiteboard: (none) => MGA6-64-OKCC: (none) => tarazed25
Advisory committed to svn. Validating the update based on above comments.
Keywords: (none) => advisory, validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0385.html
Status: NEW => RESOLVEDResolution: (none) => FIXED